Additional fix for ITS#4522. The "dn=" ist not optional.

[openldap] / servers / slapd / bconfig.c
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c

index f127993d35c24e2fd079e5dce76d4c72dbb08eb1..2f4528645074d32f1169648bda14ca298587098f 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -2,7 +2,7 @@
  /* $OpenLDAP$ */
  /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   *
- * Copyright 2005 The OpenLDAP Foundation.
+ * Copyright 2005-2006 The OpenLDAP Foundation.
   * All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
@@ -40,6 +40,8 @@
  static struct berval config_rdn = BER_BVC("cn=config");
  static struct berval schema_rdn = BER_BVC("cn=schema");
  
+extern int slap_DN_strict;     /* dn.c */
+
  #ifdef SLAPD_MODULES
  typedef struct modpath_s {
         struct modpath_s *mp_next;
@@ -86,7 +88,7 @@ static ConfigFile *cfn;
  static Avlnode *CfOcTree;
  
  static int config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca,
-       SlapReply *rs, int *renumber );
+       SlapReply *rs, int *renumber, Operation *op );
  
  static ConfigDriver config_fname;
  static ConfigDriver config_cfdir;
@@ -159,6 +161,7 @@ enum {
         CFG_SSTR_IF_MAX,
         CFG_SSTR_IF_MIN,
         CFG_TTHREADS,
+       CFG_MIRRORMODE,
  
         CFG_LAST
  };
@@ -211,6 +214,12 @@ static OidRec OidMacros[] = {
   * OLcfgOv{Oc|At}:6                    -> smbk5pwd
   * OLcfgOv{Oc|At}:7                    -> distproc
   * OLcfgOv{Oc|At}:8                    -> dynlist
+ * OLcfgOv{Oc|At}:9                    -> dds
+ * OLcfgOv{Oc|At}:10           -> unique
+ * OLcfgOv{Oc|At}:11           -> refint
+ * OLcfgOv{Oc|At}:12           -> ppolicy
+ * OLcfgOv{Oc|At}:13           -> constraint
+ * OLcfgOv{Oc|At}:14           -> translucent
   */
  
  /* alphabetical ordering */
@@ -246,7 +255,7 @@ static ConfigTable config_back_cf_table[] = {
                 &config_generic, "( OLcfgGlAt:5 NAME 'olcAttributeOptions' "
                         "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
-       { "attribute",  "attribute", 2, 0, 9,
+       { "attribute",  "attribute", 2, 0, STRLENOF( "attribute" ),
                 ARG_PAREN|ARG_MAGIC|CFG_ATTR|ARG_NO_DELETE|ARG_NO_INSERT,
                 &config_generic, "( OLcfgGlAt:4 NAME 'olcAttributeTypes' "
                         "DESC 'OpenLDAP attributeTypes' "
@@ -333,6 +342,7 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
         { "limits", "limits", 2, 0, 0, ARG_DB|ARG_MAGIC|CFG_LIMITS,
                 &config_generic, "( OLcfgDbAt:0.5 NAME 'olcLimits' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
         { "localSSF", "ssf", 2, 2, 0, ARG_INT,
                 &local_ssf, "( OLcfgGlAt:26 NAME 'olcLocalSSF' "
@@ -342,10 +352,14 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
         { "loglevel", "level", 2, 0, 0, ARG_MAGIC,
                 &config_loglevel, "( OLcfgGlAt:28 NAME 'olcLogLevel' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
         { "maxDerefDepth", "depth", 2, 2, 0, ARG_DB|ARG_INT|ARG_MAGIC|CFG_DEPTH,
                 &config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' "
                         "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+       { "mirrormode", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MIRRORMODE,
+               &config_generic, "( OLcfgDbAt:0.16 NAME 'olcMirrorMode' "
+                       "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
         { "moduleload", "file", 2, 0, 0,
  #ifdef SLAPD_MODULES
                 ARG_MAGIC|CFG_MODLOAD, &config_generic,
@@ -353,6 +367,7 @@ static ConfigTable config_back_cf_table[] = {
                 ARG_IGNORED, NULL,
  #endif
                 "( OLcfgGlAt:30 NAME 'olcModuleLoad' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
         { "modulepath", "path", 2, 2, 0,
  #ifdef SLAPD_MODULES
@@ -370,6 +385,7 @@ static ConfigTable config_back_cf_table[] = {
                         NULL, NULL },
         { "objectidentifier", NULL,     0, 0, 0, ARG_MAGIC|CFG_OID,
                 &config_generic, "( OLcfgGlAt:33 NAME 'olcObjectIdentifier' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
         { "overlay", "overlay", 2, 2, 0, ARG_MAGIC,
                 &config_overlay, "( OLcfgGlAt:34 NAME 'olcOverlay' "
@@ -379,6 +395,7 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
         { "password-hash", "hash", 2, 2, 0, ARG_MAGIC,
                 &config_passwd_hash, "( OLcfgGlAt:36 NAME 'olcPasswordHash' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
         { "pidfile", "file", 2, 2, 0, ARG_STRING,
                 &slapd_pid_file, "( OLcfgGlAt:37 NAME 'olcPidFile' "
@@ -390,6 +407,7 @@ static ConfigTable config_back_cf_table[] = {
                 ARG_IGNORED, NULL,
  #endif
                 "( OLcfgGlAt:38 NAME 'olcPlugin' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
         { "pluginlog", "filename", 2, 2, 0,
  #ifdef LDAP_SLAPI
@@ -407,6 +425,7 @@ static ConfigTable config_back_cf_table[] = {
                         "SUP labeledURI SINGLE-VALUE )", NULL, NULL },
         { "replica", "host or uri", 2, 0, 0, ARG_DB|ARG_MAGIC,
                 &config_replica, "( OLcfgDbAt:0.7 NAME 'olcReplica' "
+                       "EQUALITY caseIgnoreMatch "
                         "SUP labeledURI X-ORDERED 'VALUES' )", NULL, NULL },
         { "replica-argsfile", NULL, 0, 0, 0, ARG_MAY_DB|ARG_MAGIC|ARG_STRING|CFG_REPLICA_ARGSFILE,
                 &config_generic, "( OLcfgGlAt:43 NAME 'olcReplicaArgsFile' "
@@ -422,9 +441,11 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
         { "require", "features", 2, 0, 7, ARG_MAY_DB|ARG_MAGIC,
                 &config_requires, "( OLcfgGlAt:47 NAME 'olcRequires' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
         { "restrict", "op_list", 2, 0, 0, ARG_MAY_DB|ARG_MAGIC,
                 &config_restrict, "( OLcfgGlAt:48 NAME 'olcRestrict' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
         { "reverse-lookup", "on|off", 2, 2, 0,
  #ifdef SLAPD_RLOOKUPS
@@ -439,6 +460,7 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
         { "rootDSE", "file", 2, 2, 0, ARG_MAGIC|CFG_ROOTDSE,
                 &config_generic, "( OLcfgGlAt:51 NAME 'olcRootDSE' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
         { "rootpw", "password", 2, 2, 0, ARG_BERVAL|ARG_DB|ARG_MAGIC,
                 &config_rootpw, "( OLcfgDbAt:0.9 NAME 'olcRootPW' "
@@ -478,6 +500,7 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
         { "security", "factors", 2, 0, 0, ARG_MAY_DB|ARG_MAGIC,
                 &config_security, "( OLcfgGlAt:59 NAME 'olcSecurity' "
+                       "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
         { "sizelimit", "limit", 2, 0, 0, ARG_MAY_DB|ARG_MAGIC,
                 &config_sizelimit, "( OLcfgGlAt:60 NAME 'olcSizeLimit' "
@@ -498,15 +521,21 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
         { "subordinate", "[advertise]", 1, 2, 0, ARG_DB|ARG_MAGIC,
                 &config_subordinate, "( OLcfgDbAt:0.15 NAME 'olcSubordinate' "
-                       "SYNTAX OMsDirectoryString )", NULL, NULL },
+                       "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
         { "suffix",     "suffix", 2, 2, 0, ARG_DB|ARG_DN|ARG_QUOTE|ARG_MAGIC,
                 &config_suffix, "( OLcfgDbAt:0.10 NAME 'olcSuffix' "
+                       "EQUALITY distinguishedNameMatch "
                         "SYNTAX OMsDN )", NULL, NULL },
         { "syncrepl", NULL, 0, 0, 0, ARG_DB|ARG_MAGIC,
                 &syncrepl_config, "( OLcfgDbAt:0.11 NAME 'olcSyncrepl' "
                         "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
-       { "threads", "count", 2, 2, 0, ARG_INT|ARG_MAGIC|CFG_THREADS,
-               &config_generic, "( OLcfgGlAt:66 NAME 'olcThreads' "
+       { "threads", "count", 2, 2, 0,
+#ifdef NO_THREADS
+               ARG_IGNORED, NULL,
+#else
+               ARG_INT|ARG_MAGIC|CFG_THREADS, &config_generic,
+#endif
+               "( OLcfgGlAt:66 NAME 'olcThreads' "
                         "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
         { "timelimit", "limit", 2, 0, 0, ARG_MAY_DB|ARG_MAGIC,
                 &config_timelimit, "( OLcfgGlAt:67 NAME 'olcTimeLimit' "
@@ -593,6 +622,7 @@ static ConfigTable config_back_cf_table[] = {
                         "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
         { "updateref", "url", 2, 2, 0, ARG_DB|ARG_MAGIC,
                 &config_updateref, "( OLcfgDbAt:0.13 NAME 'olcUpdateRef' "
+                       "EQUALITY caseIgnoreMatch "
                         "SUP labeledURI )", NULL, NULL },
         { NULL, NULL, 0, 0, 0, ARG_IGNORED,
                 NULL, NULL, NULL, NULL }
@@ -668,7 +698,7 @@ static ConfigOCs cf_ocs[] = {
                  "olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ "
                  "olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ "
                  "olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ "
-                "olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) )",
+                "olcTimeLimit $ olcUpdateDN $ olcUpdateRef $ olcMirrorMode ) )",
                         Cft_Database, NULL, cfAddDatabase },
         { "( OLcfgGlOc:5 "
                 "NAME 'olcOverlayConfig' "
@@ -741,7 +771,8 @@ config_generic(ConfigArgs *c) {
                                                 break;
                                         }
                                         bv.bv_val = buf + bv.bv_len;
-                                       limits_unparse( c->be->be_limits[i], &bv );
+                                       limits_unparse( c->be->be_limits[i], &bv,
+                                                       sizeof( buf ) - ( bv.bv_val - buf ) );
                                         bv.bv_len += bv.bv_val - buf;
                                         bv.bv_val = buf;
                                         value_add_one( &c->rvalue_vals, &bv );
@@ -786,6 +817,9 @@ config_generic(ConfigArgs *c) {
                                 rc = 1;
                         }
                         break;
+               case CFG_ATOPT:
+                       ad_unparse_options( &c->rvalue_vals );
+                       break;
                 case CFG_OC: {
                         ConfigFile *cf = c->private;
                         if ( !cf )
@@ -837,7 +871,7 @@ config_generic(ConfigArgs *c) {
                                 AC_MEMCPY( abv.bv_val, ibuf, abv.bv_len );
                                 /* Turn TAB / EOL into plain space */
                                 for (src=bv.bv_val,dst=abv.bv_val+abv.bv_len; *src; src++) {
-                                       if (isspace(*src)) *dst++ = ' ';
+                                       if (isspace((unsigned char)*src)) *dst++ = ' ';
                                         else *dst++ = *src;
                                 }
                                 *dst = '\0';
@@ -888,6 +922,12 @@ config_generic(ConfigArgs *c) {
                 case CFG_LASTMOD:
                         c->value_int = (SLAP_NOLASTMOD(c->be) == 0);
                         break;
+               case CFG_MIRRORMODE:
+                       if ( SLAP_SHADOW(c->be))
+                               c->value_int = (SLAP_SINGLE_SHADOW(c->be) == 0);
+                       else
+                               rc = 1;
+                       break;
                 case CFG_SSTR_IF_MAX:
                         c->value_int = index_substr_if_maxlen;
                         break;
@@ -974,6 +1014,7 @@ config_generic(ConfigArgs *c) {
                 case CFG_AZPOLICY:
                 case CFG_DEPTH:
                 case CFG_LASTMOD:
+               case CFG_MIRRORMODE:
                 case CFG_SASLSECP:
                 case CFG_SSTR_IF_MAX:
                 case CFG_SSTR_IF_MIN:
@@ -1095,7 +1136,15 @@ config_generic(ConfigArgs *c) {
                         break;
  
                 case CFG_THREADS:
-                       if ( c->value_int > 2 * SLAP_MAX_WORKER_THREADS ) {
+                       if ( c->value_int < 2 ) {
+                               snprintf( c->msg, sizeof( c->msg ),
+                                       "threads=%d smaller than minimum value 2",
+                                       c->value_int );
+                               Debug(LDAP_DEBUG_ANY, "%s: %s.\n",
+                                       c->log, c->msg, 0 );
+                               return 1;
+
+                       } else if ( c->value_int > 2 * SLAP_MAX_WORKER_THREADS ) {
                                 snprintf( c->msg, sizeof( c->msg ),
                                         "warning, threads=%d larger than twice the default (2*%d=%d); YMMV",
                                         c->value_int, SLAP_MAX_WORKER_THREADS, 2 * SLAP_MAX_WORKER_THREADS );
@@ -1209,7 +1258,16 @@ config_generic(ConfigArgs *c) {
                         break;
  
                 case CFG_ACL:
-                       if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, c->valx ) ) {
+                       /* Don't append to the global ACL if we're on a specific DB */
+                       i = c->valx;
+                       if ( c->be != frontendDB && frontendDB->be_acl && c->valx == -1 ) {
+                               AccessControl *a;
+                               i = 0;
+                               for ( a=c->be->be_acl; a && a != frontendDB->be_acl;
+                                       a = a->acl_next )
+                                       i++;
+                       }
+                       if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) {
                                 return 1;
                         }
                         break;
@@ -1329,6 +1387,20 @@ config_generic(ConfigArgs *c) {
                                 SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_NOLASTMOD;
                         break;
  
+               case CFG_MIRRORMODE:
+                       if(!SLAP_SHADOW(c->be)) {
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> database is not a shadow",
+                                       c->argv[0] );
+                               Debug(LDAP_DEBUG_ANY, "%s: %s\n",
+                                       c->log, c->msg, 0 );
+                               return(1);
+                       }
+                       if(c->value_int)
+                               SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_SINGLE_SHADOW;
+                       else
+                               SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_SINGLE_SHADOW;
+                       break;
+
                 case CFG_SSTR_IF_MAX:
                         if (c->value_int < index_substr_if_minlen) {
                                 snprintf( c->msg, sizeof( c->msg ), "<%s> invalid value", c->argv[0] );
@@ -1373,8 +1445,8 @@ config_generic(ConfigArgs *c) {
                                 char *ptr;
                                 if ( c->op == SLAP_CONFIG_ADD ) {
                                         ptr = c->line + STRLENOF("moduleload");
-                                       while (!isspace(*ptr)) ptr++;
-                                       while (isspace(*ptr)) ptr++;
+                                       while (!isspace((unsigned char) *ptr)) ptr++;
+                                       while (isspace((unsigned char) *ptr)) ptr++;
                                 } else {
                                         ptr = c->line;
                                 }
@@ -1445,13 +1517,10 @@ config_generic(ConfigArgs *c) {
  
  
                 default:
-                       Debug( SLAPD_DEBUG_CONFIG_ERROR,
-                               "%s: unknown CFG_TYPE %d"
-                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+                       Debug( LDAP_DEBUG_ANY,
+                               "%s: unknown CFG_TYPE %d.\n",
                                 c->log, c->type, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
                         return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
  
         }
         return(0);
@@ -1597,7 +1666,7 @@ config_sizelimit(ConfigArgs *c) {
                 struct berval bv;
                 bv.bv_val = buf;
                 bv.bv_len = 0;
-               limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv );
+               limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv, sizeof( buf ) );
                 if ( !BER_BVISEMPTY( &bv ))
                         value_add_one( &c->rvalue_vals, &bv );
                 else
@@ -1648,7 +1717,7 @@ config_timelimit(ConfigArgs *c) {
                 struct berval bv;
                 bv.bv_val = buf;
                 bv.bv_len = 0;
-               limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv );
+               limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv, sizeof( buf ) );
                 if ( !BER_BVISEMPTY( &bv ))
                         value_add_one( &c->rvalue_vals, &bv );
                 else
@@ -1696,12 +1765,10 @@ config_overlay(ConfigArgs *c) {
         }
         if(c->argv[1][0] == '-' && overlay_config(c->be, &c->argv[1][1])) {
                 /* log error */
-               Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: (optional) %s overlay \"%s\" configuration failed"
-                       SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+               Debug( LDAP_DEBUG_ANY,
+                       "%s: (optional) %s overlay \"%s\" configuration failed.\n",
                         c->log, c->be == frontendDB ? "global " : "", &c->argv[1][1]);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
                 return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
         } else if(overlay_config(c->be, c->argv[1])) {
                 return(1);
         }
@@ -1820,10 +1887,11 @@ config_suffix(ConfigArgs *c)
                         int i = c->valx;
                         ch_free( c->be->be_suffix[i].bv_val );
                         ch_free( c->be->be_nsuffix[i].bv_val );
-                       for (; c->be->be_suffix[i].bv_val; i++) {
+                       do {
                                 c->be->be_suffix[i] = c->be->be_suffix[i+1];
                                 c->be->be_nsuffix[i] = c->be->be_nsuffix[i+1];
-                       }
+                               i++;
+                       } while ( !BER_BVISNULL( &c->be->be_suffix[i] ) );
                 }
                 return 0;
         }
@@ -1842,13 +1910,9 @@ config_suffix(ConfigArgs *c)
         ndn = c->value_ndn;
         tbe = select_backend(&ndn, 0, 0);
         if(tbe == c->be) {
-               Debug( SLAPD_DEBUG_CONFIG_ERROR,
-                       "%s: suffix already served by this backend!"
-                       SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+               Debug( LDAP_DEBUG_ANY, "%s: suffix already served by this backend!.\n",
                         c->log, 0, 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
                 return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                 free(pdn.bv_val);
                 free(ndn.bv_val);
         } else if(tbe) {
@@ -1947,7 +2011,7 @@ config_restrict(ConfigArgs *c) {
                 { BER_BVC("modrdn"),            0 },
                 { BER_BVC("delete"),            SLAP_RESTRICT_OP_DELETE },
                 { BER_BVC("search"),            SLAP_RESTRICT_OP_SEARCH },
-               { BER_BVC("compare"),   SLAP_RESTRICT_OP_COMPARE },
+               { BER_BVC("compare"),           SLAP_RESTRICT_OP_COMPARE },
                 { BER_BVC("read"),              SLAP_RESTRICT_OP_READS },
                 { BER_BVC("write"),             SLAP_RESTRICT_OP_WRITES },
                 { BER_BVC("extended"),  SLAP_RESTRICT_OP_EXTENDED },
@@ -1955,6 +2019,7 @@ config_restrict(ConfigArgs *c) {
                 { BER_BVC("extended=" LDAP_EXOP_MODIFY_PASSWD ),        SLAP_RESTRICT_EXOP_MODIFY_PASSWD },
                 { BER_BVC("extended=" LDAP_EXOP_X_WHO_AM_I ),           SLAP_RESTRICT_EXOP_WHOAMI },
                 { BER_BVC("extended=" LDAP_EXOP_X_CANCEL ),             SLAP_RESTRICT_EXOP_CANCEL },
+               { BER_BVC("all"),               SLAP_RESTRICT_OP_ALL },
                 { BER_BVNULL,   0 }
         };
  
@@ -1992,6 +2057,7 @@ config_allows(ConfigArgs *c) {
                 { BER_BVC("bind_anon_cred"),    SLAP_ALLOW_BIND_ANON_CRED },
                 { BER_BVC("bind_anon_dn"),      SLAP_ALLOW_BIND_ANON_DN },
                 { BER_BVC("update_anon"),       SLAP_ALLOW_UPDATE_ANON },
+               { BER_BVC("proxy_authz_anon"),  SLAP_ALLOW_PROXY_AUTHZ_ANON },
                 { BER_BVNULL,   0 }
         };
         if (c->op == SLAP_CONFIG_EMIT) {
@@ -2103,8 +2169,10 @@ loglevel_init( void )
                 { BER_BVC("Stats2"),    LDAP_DEBUG_STATS2 },
                 { BER_BVC("Shell"),     LDAP_DEBUG_SHELL },
                 { BER_BVC("Parse"),     LDAP_DEBUG_PARSE },
+#if 0  /* no longer used (nor supported) */
                 { BER_BVC("Cache"),     LDAP_DEBUG_CACHE },
                 { BER_BVC("Index"),     LDAP_DEBUG_INDEX },
+#endif
                 { BER_BVC("Sync"),      LDAP_DEBUG_SYNC },
                 { BER_BVC("None"),      LDAP_DEBUG_NONE },
                 { BER_BVNULL,           0 }
@@ -2170,7 +2238,7 @@ slap_loglevel_get( struct berval *s, int *l )
         rc = slap_verbmasks_append( &loglevel_ops, i, s, loglevel_ignore );
  
         if ( rc != 0 ) {
-               Debug( LDAP_DEBUG_ANY, "slap_loglevel_register(%lu, \"%s\") failed\n",
+               Debug( LDAP_DEBUG_ANY, "slap_loglevel_get(%lu, \"%s\") failed\n",
                         i, s->bv_val, 0 );
  
         } else {
@@ -2266,7 +2334,7 @@ config_loglevel(ConfigArgs *c) {
         for( i=1; i < c->argc; i++ ) {
                 int     level;
  
-               if ( isdigit( c->argv[i][0] ) || c->argv[i][0] == '-' ) {
+               if ( isdigit((unsigned char)c->argv[i][0]) || c->argv[i][0] == '-' ) {
                         if( lutil_atoi( &level, c->argv[i] ) != 0 ) {
                                 snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse level", c->argv[0] );
                                 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
@@ -2399,10 +2467,14 @@ config_security(ConfigArgs *c) {
  }
  
  char *
-anlist_unparse( AttributeName *an, char *ptr ) {
+anlist_unparse( AttributeName *an, char *ptr, ber_len_t buflen ) {
         int comma = 0;
+       char *start = ptr;
  
         for (; !BER_BVISNULL( &an->an_name ); an++) {
+               /* if buflen == 0, assume the buffer size has been 
+                * already checked otherwise */
+               if ( buflen > 0 && buflen - ( ptr - start ) < comma + an->an_name.bv_len ) return NULL;
                 if ( comma ) *ptr++ = ',';
                 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
                 comma = 1;
@@ -2466,7 +2538,7 @@ replica_unparse( struct slap_replica_info *ri, int i, struct berval *bv )
                 ptr = lutil_strcopy( ptr, " attrs" );
                 if ( ri->ri_exclude ) *ptr++ = '!';
                 *ptr++ = '=';
-               ptr = anlist_unparse( ri->ri_attrs, ptr );
+               ptr = anlist_unparse( ri->ri_attrs, ptr, 0 );
         }
  }
  
@@ -2559,25 +2631,23 @@ config_replica(ConfigArgs *c) {
                                 /* dealt with separately; don't let it get to bindconf */
                                 ;
  
+                       } else if(!strncasecmp(c->argv[i], "host=", STRLENOF("host="))) {
+                               /* dealt with separately; don't let it get to bindconf */
+                               ;
+
                         } else if(!strncasecmp(c->argv[i], "suffix=", STRLENOF( "suffix="))) {
                                 switch(add_replica_suffix(c->be, nr, c->argv[i] + STRLENOF("suffix="))) {
                                         case 1:
-                                               Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: "
-                                               "suffix \"%s\" in \"replica\" line is not valid for backend"
-                                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-                                               c->log, c->argv[i] + STRLENOF("suffix="), 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+                                               Debug( LDAP_DEBUG_ANY, "%s: "
+                                                       "suffix \"%s\" in \"replica\" line is not valid for backend.\n",
+                                                       c->log, c->argv[i] + STRLENOF("suffix="), 0);
                                                 return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                                                 break;
                                         case 2:
-                                               Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: "
-                                               "unable to normalize suffix in \"replica\" line"
-                                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-                                               c->log, 0, 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+                                               Debug( LDAP_DEBUG_ANY, "%s: "
+                                                       "unable to normalize suffix in \"replica\" line.\n",
+                                                       c->log, 0, 0);
                                                 return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                                                 break;
                                 }
  
@@ -2670,7 +2740,7 @@ config_shadow( ConfigArgs *c, int flag )
                 return 1;
         }
  
-       SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | flag);
+       SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | SLAP_DBFLAG_SINGLE_SHADOW | flag);
  
         return 0;
  }
@@ -2759,8 +2829,9 @@ config_include(ConfigArgs *c) {
  static int
  config_tls_option(ConfigArgs *c) {
         int flag;
+       LDAP *ld = slap_tls_ld;
         switch(c->type) {
-       case CFG_TLS_RAND:      flag = LDAP_OPT_X_TLS_RANDOM_FILE;      break;
+       case CFG_TLS_RAND:      flag = LDAP_OPT_X_TLS_RANDOM_FILE;      ld = NULL; break;
         case CFG_TLS_CIPHER:    flag = LDAP_OPT_X_TLS_CIPHER_SUITE;     break;
         case CFG_TLS_CERT_FILE: flag = LDAP_OPT_X_TLS_CERTFILE;         break;  
         case CFG_TLS_CERT_KEY:  flag = LDAP_OPT_X_TLS_KEYFILE;          break;
@@ -2773,12 +2844,12 @@ config_tls_option(ConfigArgs *c) {
                 return 1;
         }
         if (c->op == SLAP_CONFIG_EMIT) {
-               return ldap_pvt_tls_get_option( NULL, flag, &c->value_string );
+               return ldap_pvt_tls_get_option( ld, flag, &c->value_string );
         } else if ( c->op == LDAP_MOD_DELETE ) {
-               return ldap_pvt_tls_set_option( NULL, flag, NULL );
+               return ldap_pvt_tls_set_option( ld, flag, NULL );
         }
         ch_free(c->value_string);
-       return(ldap_pvt_tls_set_option(NULL, flag, c->argv[1]));
+       return(ldap_pvt_tls_set_option(ld, flag, c->argv[1]));
  }
  
  /* FIXME: this ought to be provided by libldap */
@@ -2808,7 +2879,7 @@ config_tls_config(ConfigArgs *c) {
                 return 1;
         }
         if (c->op == SLAP_CONFIG_EMIT) {
-               ldap_pvt_tls_get_option( NULL, flag, &c->value_int );
+               ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int );
                 for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
                         if (keys[i].mask == c->value_int) {
                                 c->value_string = ch_strdup( keys[i].word.bv_val );
@@ -2818,7 +2889,7 @@ config_tls_config(ConfigArgs *c) {
                 return 1;
         } else if ( c->op == LDAP_MOD_DELETE ) {
                 int i = 0;
-               return ldap_pvt_tls_set_option( NULL, flag, &i );
+               return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i );
         }
         ch_free( c->value_string );
         if ( isdigit( (unsigned char)c->argv[1][0] ) ) {
@@ -2828,9 +2899,9 @@ config_tls_config(ConfigArgs *c) {
                                 c->log, c->argv[0], c->argv[1] );
                         return 1;
                 }
-               return(ldap_pvt_tls_set_option(NULL, flag, &i));
+               return(ldap_pvt_tls_set_option(slap_tls_ld, flag, &i));
         } else {
-               return(ldap_int_tls_config(NULL, flag, c->argv[1]));
+               return(ldap_int_tls_config(slap_tls_ld, flag, c->argv[1]));
         }
  }
  #endif
@@ -2886,7 +2957,7 @@ config_ldif_resp( Operation *op, SlapReply *rs )
                 setup_cookie *sc = op->o_callback->sc_private;
  
                 sc->cfb->cb_got_ldif = 1;
-               rs->sr_err = config_add_internal( sc->cfb, rs->sr_entry, sc->ca, NULL, NULL );
+               rs->sr_err = config_add_internal( sc->cfb, rs->sr_entry, sc->ca, NULL, NULL, NULL );
                 if ( rs->sr_err != LDAP_SUCCESS ) {
                         Debug( LDAP_DEBUG_ANY, "config error processing %s: %s\n",
                                 rs->sr_entry->e_name.bv_val, sc->ca->msg, 0 );
@@ -2959,6 +3030,7 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) {
  
         if ( readit ) {
                 void *thrctx = ldap_pvt_thread_pool_context();
+               int prev_DN_strict;
  
                 op = (Operation *) &opbuf;
                 connection_fake_init( &conn, op, thrctx );
@@ -2989,8 +3061,16 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) {
                 cb.sc_private = &sc;
  
                 op->o_bd = &cfb->cb_db;
+               
+               /* Allow unknown attrs in DNs */
+               prev_DN_strict = slap_DN_strict;
+               slap_DN_strict = 0;
+
                 rc = op->o_bd->be_search( op, &rs );
  
+               /* Restore normal DN validation */
+               slap_DN_strict = prev_DN_strict;
+
                 ldap_pvt_thread_pool_context_reset( thrctx );
         }
  
@@ -3044,6 +3124,7 @@ read_config(const char *fname, const char *dir) {
                 return 1;
  
         cfb = be->be_private;
+       be->be_dfltaccess = ACL_NONE;
  
         /* If no .conf, or a dir was specified, setup the dir */
         if ( !fname || dir ) {
@@ -3069,10 +3150,18 @@ read_config(const char *fname, const char *dir) {
                         if ( rc != LDAP_NO_SUCH_OBJECT )
                                 return 1;
                         /* ITS#4194: But if dir was specified and no fname,
-                        * then we were supposed to read the dir.
+                        * then we were supposed to read the dir. Unless we're
+                        * trying to slapadd the dir...
                          */
-                       if ( dir && !fname )
-                               return 1;
+                       if ( dir && !fname ) {
+                               if ( slapMode & (SLAP_SERVER_MODE|SLAP_TOOL_READMAIN|SLAP_TOOL_READONLY))
+                                       return 1;
+                               /* Assume it's slapadd with a config dir, let it continue */
+                               rc = 0;
+                               cfb->cb_got_ldif = 1;
+                               cfb->cb_use_ldif = 1;
+                               goto done;
+                       }
                 }
  
                 /* If we read the config from back-ldif, nothing to do here */
@@ -3092,25 +3181,6 @@ read_config(const char *fname, const char *dir) {
         if ( rc == 0 )
                 ber_str2bv( cfname, 0, 1, &cfb->cb_config->c_file );
  
-       /* If we got this far and failed, it may be a serious problem. In server
-        * mode, we should never come to this. However, it may be alright if we're
-        * using slapadd to create the conf dir.
-        */
-       while ( rc ) {
-               if ( slapMode & (SLAP_SERVER_MODE|SLAP_TOOL_READMAIN|SLAP_TOOL_READONLY))
-                       break;
-               /* If a config file was explicitly given, fail */
-               if ( fname )
-                       break;
-               
-               /* Seems to be slapadd with a config dir, let it continue */
-               if ( cfb->cb_use_ldif ) {
-                       rc = 0;
-                       cfb->cb_got_ldif = 1;
-               }
-               break;
-       }
-
  done:
         if ( rc == 0 && BER_BVISNULL( &frontendDB->be_schemadn ) ) {
                 ber_str2bv( SLAPD_SCHEMA_DN, STRLENOF( SLAPD_SCHEMA_DN ), 1,
@@ -3519,7 +3589,8 @@ cfAddOverlay( CfEntryInfo *p, Entry *e, struct config_args_s *ca )
  
  /* Parse an LDAP entry into config directives */
  static int
-config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, int *renum )
+config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs,
+       int *renum, Operation *op )
  {
         CfEntryInfo *ce, *last;
         ConfigOCs **colst;
@@ -3545,6 +3616,15 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, i
                 return LDAP_NO_SUCH_OBJECT;
         }
  
+       if ( op ) {
+               /* No parent, must be root. This will never happen... */
+               if ( !last && !be_isroot( op ) && !be_shadow_update( op ))
+                       return LDAP_NO_SUCH_OBJECT;
+               if ( last && !access_allowed( op, last->ce_entry,
+                       slap_schema.si_ad_children, NULL, ACL_WADD, NULL ))
+                       return LDAP_INSUFFICIENT_ACCESS;
+       }
+
         oc_at = attr_find( e->e_attrs, slap_schema.si_ad_objectClass );
         if ( !oc_at ) return LDAP_OBJECT_CLASS_VIOLATION;
  
@@ -3612,9 +3692,19 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, i
          * These entries can have auto-assigned indexes (appended to the end)
          * but only the other types support auto-renumbering of siblings.
          */
-       rc = check_name_index( last, colst[0]->co_type, e, rs, renum );
-       if ( rc )
-               goto done;
+       {
+               int renumber = renum ? *renum : 0;
+               rc = check_name_index( last, colst[0]->co_type, e, rs, renum );
+               if ( rc ) {
+                       goto done;
+               }
+               if ( renum && *renum && renumber == -1 ) {
+                       snprintf( ca->msg, sizeof( ca->msg ),
+                               "operation requires sibling renumbering" );
+                       rc = LDAP_UNWILLING_TO_PERFORM;
+                       goto done;
+               }
+       }
  
         init_config_argv( ca );
  
@@ -3716,7 +3806,8 @@ config_back_add( Operation *op, SlapReply *rs )
         int renumber;
         ConfigArgs ca;
  
-       if ( !be_isroot( op ) ) {
+       if ( !access_allowed( op, op->ora_e, slap_schema.si_ad_entry,
+               NULL, ACL_WADD, NULL )) {
                 rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                 goto out;
         }
@@ -3732,10 +3823,15 @@ config_back_add( Operation *op, SlapReply *rs )
          * 4) store entry in underlying database
          * 5) perform any necessary renumbering
          */
-       rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber );
+       /* NOTE: by now we do not accept adds that require renumbering */
+       renumber = -1;
+       rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber, op );
         if ( rs->sr_err != LDAP_SUCCESS ) {
                 rs->sr_text = ca.msg;
-       } else if ( cfb->cb_use_ldif ) {
+               goto out2;
+       }
+
+       if ( cfb->cb_use_ldif ) {
                 BackendDB *be = op->o_bd;
                 slap_callback sc = { NULL, slap_null_cb, NULL, NULL };
                 struct berval dn, ndn;
@@ -3756,12 +3852,15 @@ config_back_add( Operation *op, SlapReply *rs )
                 op->o_dn = dn;
                 op->o_ndn = ndn;
         }
+
         if ( renumber ) {
+               /* TODO */
         }
  
+out2:;
         ldap_pvt_thread_pool_resume( &connection_pool );
  
-out:
+out:;
         send_ldap_result( op, rs );
         return rs->sr_err;
  }
@@ -3798,6 +3897,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
         ca->bi = ce->ce_bi;
         ca->private = ce->ce_private;
         ca->ca_entry = e;
+       ca->fname = "slapd";
         strcpy( ca->log, "back-config" );
  
         for (ml = op->orm_modlist; ml; ml=ml->sml_next) {
@@ -4024,6 +4124,11 @@ out:
         }
         ch_free( ca->argv );
         if ( colst ) ch_free( colst );
+       while( dels ) {
+               deltail = dels->next;
+               ch_free( dels );
+               dels = deltail;
+       }
  
         return rc;
  }
@@ -4039,11 +4144,6 @@ config_back_modify( Operation *op, SlapReply *rs )
         char *ptr;
         AttributeDescription *rad = NULL;
  
-       if ( !be_isroot( op ) ) {
-               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-               goto out;
-       }
-
         cfb = (CfBackInfo *)op->o_bd->be_private;
  
         ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last );
@@ -4054,6 +4154,11 @@ config_back_modify( Operation *op, SlapReply *rs )
                 goto out;
         }
  
+       if ( !acl_check_modlist( op, ce->ce_entry, op->orm_modlist )) {
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               goto out;
+       }
+
         /* Get type of RDN */
         rdn = ce->ce_entry->e_nname;
         ptr = strchr( rdn.bv_val, '=' );
@@ -4114,11 +4219,6 @@ config_back_modrdn( Operation *op, SlapReply *rs )
         CfBackInfo *cfb;
         CfEntryInfo *ce, *last;
  
-       if ( !be_isroot( op ) ) {
-               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-               goto out;
-       }
-
         cfb = (CfBackInfo *)op->o_bd->be_private;
  
         ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last );
@@ -4128,6 +4228,22 @@ config_back_modrdn( Operation *op, SlapReply *rs )
                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
                 goto out;
         }
+       if ( !access_allowed( op, ce->ce_entry, slap_schema.si_ad_entry,
+               NULL, ACL_WRITE, NULL )) {
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               goto out;
+       }
+       { Entry *parent;
+               if ( ce->ce_parent )
+                       parent = ce->ce_parent->ce_entry;
+               else
+                       parent = (Entry *)&slap_entry_root;
+               if ( !access_allowed( op, parent, slap_schema.si_ad_children,
+                       NULL, ACL_WRITE, NULL )) {
+                       rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+                       goto out;
+               }
+       }
  
         /* We don't allow moving objects to new parents.
          * Generally we only allow reordering a set of ordered entries.
@@ -4138,6 +4254,9 @@ config_back_modrdn( Operation *op, SlapReply *rs )
         }
         ldap_pvt_thread_pool_pause( &connection_pool );
  
+       rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+       rs->sr_text = "renaming not implemented yet within naming context";
+
         ldap_pvt_thread_pool_resume( &connection_pool );
  out:
         send_ldap_result( op, rs );
@@ -4149,11 +4268,7 @@ config_back_search( Operation *op, SlapReply *rs )
  {
         CfBackInfo *cfb;
         CfEntryInfo *ce, *last;
-
-       if ( !be_isroot( op ) ) {
-               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-               goto out;
-       }
+       slap_mask_t mask;
  
         cfb = (CfBackInfo *)op->o_bd->be_private;
  
@@ -4164,6 +4279,16 @@ config_back_search( Operation *op, SlapReply *rs )
                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
                 goto out;
         }
+       if ( !access_allowed_mask( op, ce->ce_entry, slap_schema.si_ad_entry, NULL,
+               ACL_SEARCH, NULL, &mask ))
+       {
+               if ( !ACL_GRANT( mask, ACL_DISCLOSE )) {
+                       rs->sr_err = LDAP_NO_SUCH_OBJECT;
+               } else {
+                       rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               }
+               goto out;
+       }
         switch ( op->ors_scope ) {
         case LDAP_SCOPE_BASE:
         case LDAP_SCOPE_SUBTREE:
@@ -4196,7 +4321,9 @@ config_build_attrs( Entry *e, AttributeType **at, AttributeDescription *ad,
                 for (i=0;ct[i].name;i++) {
                         if (ct[i].ad == (*at)->sat_ad) {
                                 rc = config_get_vals(&ct[i], c);
-                               if (rc == LDAP_SUCCESS) {
+                               /* NOTE: tolerate that config_get_vals()
+                                * returns success with no values */
+                               if (rc == LDAP_SUCCESS && c->rvalue_vals != NULL ) {
                                         if ( c->rvalue_nvals )
                                                 attr_merge(e, ct[i].ad, c->rvalue_vals,
                                                         c->rvalue_nvals);
@@ -4229,6 +4356,7 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent,
         ObjectClass *oc;
         CfEntryInfo *ceprev = NULL;
  
+       Debug( LDAP_DEBUG_TRACE, "config_build_entry: \"%s\"\n", rdn->bv_val, 0, 0);
         e->e_private = ce;
         ce->ce_entry = e;
         ce->ce_parent = parent;
@@ -4288,6 +4416,10 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent,
         if ( op ) {
                 op->ora_e = e;
                 op->o_bd->be_add( op, rs );
+               if ( ( rs->sr_err != LDAP_SUCCESS ) 
+                               && (rs->sr_err != LDAP_ALREADY_EXISTS) ) {
+                       return NULL;
+               }
         }
         if ( ceprev ) {
                 ceprev->ce_sibs = ce;
@@ -4298,7 +4430,7 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent,
         return e;
  }
  
-static void
+static int
  config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent,
         Operation *op, SlapReply *rs )
  {
@@ -4322,7 +4454,7 @@ config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent,
                 c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=" SLAP_X_ORDERED_FMT, c->depth);
                 if ( c->value_dn.bv_len >= sizeof( c->log ) ) {
                         /* FIXME: how can indicate error? */
-                       return;
+                       return -1;
                 }
                 strncpy( c->value_dn.bv_val + c->value_dn.bv_len, bv.bv_val,
                         bv.bv_len );
@@ -4332,14 +4464,17 @@ config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent,
                 c->private = cf;
                 e = config_build_entry( op, rs, ceparent, c, &c->value_dn,
                         &CFOC_SCHEMA, NULL );
-               if ( e && cf->c_kids ) {
+               if ( !e ) {
+                       return -1;
+               } else if ( e && cf->c_kids ) {
                         c->private = cf->c_kids;
                         config_build_schema_inc( c, e->e_private, op, rs );
                 }
         }
+       return 0;
  }
  
-static void
+static int
  config_build_includes( ConfigArgs *c, CfEntryInfo *ceparent,
         Operation *op, SlapReply *rs )
  {
@@ -4352,21 +4487,24 @@ config_build_includes( ConfigArgs *c, CfEntryInfo *ceparent,
                 c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=include" SLAP_X_ORDERED_FMT, i);
                 if ( c->value_dn.bv_len >= sizeof( c->log ) ) {
                         /* FIXME: how can indicate error? */
-                       return;
+                       return -1;
                 }
                 c->private = cf;
                 e = config_build_entry( op, rs, ceparent, c, &c->value_dn,
                         &CFOC_INCLUDE, NULL );
-               if ( e && cf->c_kids ) {
+               if ( ! e ) {
+                       return -1;
+               } else if ( e && cf->c_kids ) {
                         c->private = cf->c_kids;
                         config_build_includes( c, e->e_private, op, rs );
                 }
         }
+       return 0;
  }
  
  #ifdef SLAPD_MODULES
  
-static void
+static int
  config_build_modules( ConfigArgs *c, CfEntryInfo *ceparent,
         Operation *op, SlapReply *rs )
  {
@@ -4380,15 +4518,21 @@ config_build_modules( ConfigArgs *c, CfEntryInfo *ceparent,
                 c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=module" SLAP_X_ORDERED_FMT, i);
                 if ( c->value_dn.bv_len >= sizeof( c->log ) ) {
                         /* FIXME: how can indicate error? */
-                       return;
+                       return -1;
                 }
                 c->private = mp;
-               config_build_entry( op, rs, ceparent, c, &c->value_dn,
-                       &CFOC_MODULE, NULL );
+               if ( ! config_build_entry( op, rs, ceparent, c, &c->value_dn, &CFOC_MODULE, NULL )) {
+                       return -1;
+               }
         }
+        return 0;
  }
  #endif
  
+static const char *defacl[] = {
+       NULL, "to", "*", "by", "*", "none", NULL
+};
+
  static int
  config_back_db_open( BackendDB *be )
  {
@@ -4406,6 +4550,15 @@ config_back_db_open( BackendDB *be )
         SlapReply rs = {REP_RESULT};
         void *thrctx = NULL;
  
+       Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0);
+
+       /* If we have no explicitly configured ACLs, don't just use
+        * the global ACLs. Explicitly deny access to everything.
+        */
+       if ( frontendDB->be_acl && be->be_acl == frontendDB->be_acl ) {
+               parse_acl(be, "config_back_db_open", 0, 6, (char **)defacl, 0 );
+       }
+
         /* If we read the config from back-ldif, nothing to do here */
         if ( cfb->cb_got_ldif )
                 return 0;
@@ -4429,6 +4582,9 @@ config_back_db_open( BackendDB *be )
         c.private = cfb->cb_config;
         c.be = frontendDB;
         e = config_build_entry( op, &rs, NULL, &c, &rdn, &CFOC_GLOBAL, NULL );
+       if ( !e ) {
+               return -1;
+       }
         ce = e->e_private;
         cfb->cb_root = ce;
  
@@ -4439,13 +4595,17 @@ config_back_db_open( BackendDB *be )
         if ( cfb->cb_config->c_kids ) {
                 c.depth = 0;
                 c.private = cfb->cb_config->c_kids;
-               config_build_includes( &c, ceparent, op, &rs );
+               if ( config_build_includes( &c, ceparent, op, &rs ) ) {
+                       return -1;
+               }
         }
  
  #ifdef SLAPD_MODULES
         /* Create Module nodes... */
         if ( modpaths.mp_loads ) {
-               config_build_modules( &c, ceparent, op, &rs );
+               if ( config_build_modules( &c, ceparent, op, &rs ) ){
+                       return -1;
+               }
         }
  #endif
  
@@ -4456,13 +4616,18 @@ config_back_db_open( BackendDB *be )
         rdn = schema_rdn;
         c.private = NULL;
         e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_SCHEMA, NULL );
+       if ( !e ) {
+               return -1;
+       }
         ce = e->e_private;
  
         /* Create schema nodes for included schema... */
         if ( cfb->cb_config->c_kids ) {
                 c.depth = 0;
                 c.private = cfb->cb_config->c_kids;
-               config_build_schema_inc( &c, ce, op, &rs );
+               if (config_build_schema_inc( &c, ce, op, &rs )) {
+                       return -1;
+               }
         }
  
         /* Create backend nodes. Skip if they don't provide a cf_table.
@@ -4492,6 +4657,9 @@ config_back_db_open( BackendDB *be )
                 c.bi = bi;
                 e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_BACKEND,
                         bi->bi_cf_ocs );
+               if ( !e ) {
+                       return -1;
+               }
         }
  
         /* Create database nodes... */
@@ -4528,6 +4696,9 @@ config_back_db_open( BackendDB *be )
                 c.bi = bi;
                 e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_DATABASE,
                         be->be_cf_ocs );
+               if ( !e ) {
+                       return -1;
+               }
                 ce = e->e_private;
                 if ( be->be_cf_ocs && be->be_cf_ocs->co_cfadd )
                         be->be_cf_ocs->co_cfadd( op, &rs, e, &c );
@@ -4555,6 +4726,9 @@ config_back_db_open( BackendDB *be )
                                 c.bi = &on->on_bi;
                                 oe = config_build_entry( op, &rs, ce, &c, &rdn,
                                         &CFOC_OVERLAY, c.bi->bi_cf_ocs );
+                               if ( !oe ) {
+                                       return -1;
+                               }
                                 if ( c.bi->bi_cf_ocs && c.bi->bi_cf_ocs->co_cfadd )
                                         c.bi->bi_cf_ocs->co_cfadd( op, &rs, oe, &c );
                         }
@@ -4743,7 +4917,7 @@ config_tool_entry_put( BackendDB *be, Entry *e, struct berval *text )
         ConfigArgs ca;
  
         if ( bi && bi->bi_tool_entry_put &&
-               config_add_internal( cfb, e, &ca, NULL, NULL ) == 0 )
+               config_add_internal( cfb, e, &ca, NULL, NULL, NULL ) == 0 )
                 return bi->bi_tool_entry_put( &cfb->cb_db, e, text );
         else
                 return NOID;
@@ -4796,6 +4970,9 @@ config_back_initialize( BackendInfo *bi )
                 NULL
         };
  
+       /* Make sure we don't exceed the bits reserved for userland */
+       config_check_userland( CFG_LAST );
+
         bi->bi_controls = controls;
  
         bi->bi_open = 0;
@@ -4823,9 +5000,7 @@ config_back_initialize( BackendInfo *bi )
  
         bi->bi_chk_referrals = 0;
  
-#ifdef SLAP_OVERLAY_ACCESS
-       bi->bi_access_allowed = slap_access_always_allowed;
-#endif /* SLAP_OVERLAY_ACCESS */
+       bi->bi_access_allowed = slap_access_allowed;
  
         bi->bi_connection_init = 0;
         bi->bi_connection_destroy = 0;
@@ -4837,9 +5012,6 @@ config_back_initialize( BackendInfo *bi )
         bi->bi_tool_entry_get = config_tool_entry_get;
         bi->bi_tool_entry_put = config_tool_entry_put;
  
-       /* Make sure we don't exceed the bits reserved for userland */
-       assert( ( ( CFG_LAST - 1 ) & ARGS_USERLAND ) == ( CFG_LAST - 1 ) );
-
         argv[3] = NULL;
         for (i=0; OidMacros[i].name; i++ ) {
                 argv[1] = OidMacros[i].name;